In Eclipse Dataspace Components, from version 0.5.0 and before version 0.9.0, the ConsumerPullTransferTokenValidationApiController does not check for token validity (expiry, not-before, issuance date), which can allow an attacker to bypass the check for token expiration. The issue requires to have a dataplane configured to support http proxy consumer pull AND include the module "transfer-data-plane". The affected code was marked deprecated from the version 0.6.0 in favour of Dataplane Signaling. In 0.9.0 the vulnerable code has been removed.
Fixes

Solution

No solution given by the vendor.


Workaround

No workaround given by the vendor.

History

Thu, 19 Sep 2024 15:45:00 +0000

Type Values Removed Values Added
First Time appeared Eclipse
Eclipse eclipse Dataspace Components
Weaknesses CWE-287
CPEs cpe:2.3:a:eclipse:eclipse_dataspace_components:*:*:*:*:*:*:*:*
Vendors & Products Eclipse
Eclipse eclipse Dataspace Components
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N'}


Thu, 12 Sep 2024 08:30:00 +0000

Type Values Removed Values Added
First Time appeared Eclipse Foundation
Eclipse Foundation edc
CPEs cpe:2.3:a:eclipse_foundation:edc:0.5.0:*:*:*:*:*:*:*
Vendors & Products Eclipse Foundation
Eclipse Foundation edc
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 11 Sep 2024 13:45:00 +0000

Type Values Removed Values Added
Description In Eclipse Dataspace Components, from version 0.5.0 and before version 0.9.0, the ConsumerPullTransferTokenValidationApiController does not check for token validity (expiry, not-before, issuance date), which can allow an attacker to bypass the check for token expiration. The issue requires to have a dataplane configured to support http proxy consumer pull AND include the module "transfer-data-plane". The affected code was marked deprecated from the version 0.6.0 in favour of Dataplane Signaling. In 0.9.0 the vulnerable code has been removed.
Title Eclipse EDC: Consumer pull transfer token validation checks not applied
Weaknesses CWE-303
CWE-305
References
Metrics cvssV4_0

{'score': 5, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/RE:L/U:Green'}


cve-icon MITRE

Status: PUBLISHED

Assigner: eclipse

Published:

Updated: 2024-09-11T14:06:55.373Z

Reserved: 2024-09-10T06:20:33.205Z

Link: CVE-2024-8642

cve-icon Vulnrichment

Updated: 2024-09-11T14:06:44.769Z

cve-icon NVD

Status : Analyzed

Published: 2024-09-11T14:15:14.177

Modified: 2024-09-19T15:18:47.917

Link: CVE-2024-8642

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

No data.